Qryon

Security Rules

Qryon includes 647+ security rules covering OWASP Top 10, CWE, and language-specific vulnerabilities. Rules are Semgrep-compatible and can be extended with custom patterns.

Rule Categories

Injection Vulnerabilities (A03:2021)

Rule IDDescriptionLanguages
sql-injectionSQL query with unsanitized inputJS, TS, Python, Java, Go
nosql-injectionNoSQL query injection (MongoDB, etc.)JS, TS, Python
command-injectionOS command with user inputAll
ldap-injectionLDAP query with unsanitized inputJava, Python
xpath-injectionXPath query with unsanitized inputJava, Python
template-injectionServer-side template injectionPython, JS

Cross-Site Scripting (A03:2021)

Rule IDDescriptionLanguages
xss-reflectedReflected XSS via request parametersJS, TS, Python, Java
xss-storedStored XSS from database contentJS, TS, Python, Java
xss-domDOM-based XSS via client-side codeJS, TS
react-unsafe-renderReact unsafe HTML renderingJS, TS
angular-bypass-securityAngular security bypass methodsTS

Broken Access Control (A01:2021)

Rule IDDescriptionLanguages
path-traversalDirectory traversal via user inputAll
ssrfServer-side request forgeryAll
open-redirectUnvalidated redirect destinationJS, TS, Python, Java
idorInsecure direct object referenceAll
cors-misconfigurationOverly permissive CORS settingsJS, TS, Python, Java

Cryptographic Failures (A02:2021)

Rule IDDescriptionLanguages
weak-crypto-algorithmUse of MD5, SHA1, DES, etc.All
hardcoded-secretSecrets in source codeAll
weak-randomMath.random() for securityJS, TS, Python, Java
missing-encryptionSensitive data without encryptionAll
weak-tlsTLS versions below 1.2 or weak ciphersAll

Insecure Deserialization (A08:2021)

Rule IDDescriptionLanguages
unsafe-deserializationDeserializing untrusted dataPython, Java
unsafe-object-loadingLoading serialized objects unsafelyPython
yaml-unsafe-loadUnsafe YAML loadingPython
java-object-inputJava ObjectInputStream vulnerabilitiesJava

Security Misconfiguration (A05:2021)

Rule IDDescriptionLanguages
debug-enabledDebug mode in productionAll
verbose-errorsStack traces exposed to usersAll
missing-security-headersMissing CSP, HSTS, etc.JS, TS, Python, Java
default-credentialsDefault passwords or keysAll

Rule Severity Levels

# View rules by severity
rma rules list --severity critical
rma rules list --severity high

# Override severity in config
[rules.severity_override]
"react-unsafe-render" = "critical"
"missing-alt-text" = "info"

Enabling/Disabling Rules

# Disable specific rules
rma scan . --disable sql-injection --disable xss-reflected

# Enable only specific rules
rma scan . --enable sql-injection --enable command-injection

# Disable rule categories
rma scan . --disable "style-*"

# Configuration file
[rules]
disabled = [
  "style-*",
  "info-*",
  "javascript/console-log"
]

enabled = [
  "security/*",
  "owasp/*"
]

Rule Information

# List all rules
rma rules list

# Show rule details
rma rules info sql-injection

# Output:
Rule: sql-injection
Severity: HIGH
Languages: javascript, typescript, python, java, go
Category: security/injection
CWE: CWE-89

Description:
  SQL injection occurs when untrusted data is sent to an interpreter
  as part of a command or query. This can allow attackers to run
  arbitrary SQL commands.

Pattern:
  query($USER_INPUT)
  where $USER_INPUT is tainted from request

References:
  - https://owasp.org/Top10/A03_2021-Injection/
  - https://cwe.mitre.org/data/definitions/89.html

Examples:
  Bad:
    db.query(`SELECT * FROM users WHERE id = '${req.params.id}'`)

  Good:
    db.query('SELECT * FROM users WHERE id = ?', [req.params.id])

Rule Statistics

CategoryRule Count
Injection87
XSS45
Access Control62
Cryptography78
Authentication54
Secrets120
Configuration89
Other112
Total647+

Language-Specific Rules

JavaScript/TypeScript

  • React security patterns
  • Node.js specific (child_process, fs)
  • Express.js middleware issues
  • Prototype pollution
  • npm package vulnerabilities

Python

  • Django/Flask security patterns
  • Unsafe deserialization
  • subprocess injection
  • SQL injection in ORMs
  • SSTI in Jinja2/Mako

Java

  • Spring Security misconfigurations
  • JDBC SQL injection
  • XXE in XML parsers
  • Insecure ObjectInputStream
  • Log injection

Go

  • SQL injection in database/sql
  • Command injection via os/exec
  • Weak crypto packages
  • HTTP security headers

Rust

  • Unsafe block misuse
  • SQL injection via sqlx/diesel
  • Memory safety issues
  • Crypto library usage

Next Steps